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Abstract. We consider the model of priced (a.k.a. weighted) timed automata, an exten- 
sion of timed automata with cost information on both locations and transitions, and we 
study various model-checking problems for that model based on extensions of classical tem- 
poral logics with cost constraints on modalities. We prove that, under the assumption that 
the model has only one clock, model-checking this class of models against the logic WCTL, 
CTL with cost-constrained modalities, is PSPACE-complete (while it has been shown un- 
decidable as soon as the model has three clocks). We also prove that model-checking 
WMTL, LTL with cost-constrained modalities, is decidable only if there is a single clock 
in the model and a single stopwatch cost variable (i.e., whose slopes lie in {0, 1}). 

An interesting direction of real-time model-checking that has recently received sub- 
stantial attention is the extension and re-targeting of timed automata technology towards 
optimal scheduling and controller synthesis [AAM06, RLS04, BBL08J. 

In particular, scheduling problems can often be reformulated in terms of reachability 
questions with respect to behavioural models where tasks and resources relevant for the 
scheduling problem in question are modelled as interacting timed automata [BLR05a]. Al- 
though there exists a wide body of literature and established results on (optimal) scheduling 
in the fields of real-time systems and operations research, the application of model-checking 
has proved to provide a novel and competitive technology. In particular, model-checking has 
the advantage of offering a generic approach, going well beyond most classical scheduling 
solutions, which have good properties only for scenarios satisfying specific assumptions that 
may or, quite often, may not apply in actual practical circumstances. Of course, model- 
checking comes with its own restrictions and stumbling blocks, the most notorious being 
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the state-space explosio n. A lot of research has thus been devoted to "guide" and "prune" 
the reachability search BFH + 0l"a] . 

As part of the effort on applying timed automata technology to scheduling, the notion 
of priced (or weighted) timed automata [BFH + 01b lALPOT] has been promoted as a useful 
extension of the classical model of timed automata allowing continuous consumption of 
resources (e.g. energy, money, pollution, etc.) to be modelled and analyzed. In this way 
one may distinguish different feasible schedules according to their consumption of resources 
(i.e., accumulated cost) with obvious preference for the optimal schedule with minimal 
resource requirements. 

Within the model of priced timed automata, the cost variables serve purely as evalu- 
ation functions or observers, i.e., the behaviour of the underlying timed automata may in 
no way depend on these cost variables. As an important consequence of this restriction 
— and in contrast to the related models of constant slope and linear hybrid automata — 
a number of optimization problems have been shown decidable for priced timed automata 
including minimum-cost reachability B FH + 01bl IALP011 [BBBR07J , optimal (minimum and 
maximum cost) reachability in multi-priced settings [LR05] and cost-optimal infinite sched- 
ules [BBL04, BBL08J in terms of minimal (or maximal) cost per time ratio in the limit. 
Moreover UPPAAL Cora [BLR05b] provides an efficient tool for computing cost-optimal 
or near-optimal solutions to reachability questions, implementing a symbolic A* algorithm 
based on a new data structure (so-called priced zones) allowing for efficient symbolic state- 
representation with additional cost-information. 

Cost-extended versions of temporal logics such as CTL (branching-time) and LTL 
(linear-time) appear as a natural "generalizations" of the above optimization problems. 
Just as TCTL and MTL provide extensions of CTL and LTL with time-constrained modal- 
ities, WCTL and WMTL are extensions with cosi-constrained modalities interpreted with 
respect to priced timed automata. Unfortunately, the addition of cost now turns out to 
come with a price: whereas the model-checking problems for timed automata with respect 
to TCTL and MTL are decidable, it has been shown in [BBR04] that model-checking priced 
timed automata with respect to WCTL is undecidable. Also, in [BBR05] it has recently 
been shown that the problem of determining cost-optimal winning strategies for priced 
timed games is not computable. In [BBM06] it has been shown that these negative results 
hold even for priced timed (game) automata with no more than three clocks. 

Recently, the restriction of timed systems to a single clock has raised some attention, as 
it leads to much nicer decidability and complexity results. Indeed, the emptiness problem in 
single-clock timed automata becomes NLOGSPACE-Complete [LMS04] instead of PSPACE- 
Complete in the general framework [AD94]. Also, the emptiness problem is decidable for 
single-clock alternating timed automata and is undecidable for general alternating timed 
automata [LW05[ ()\V()">1 ILW08} IQW07| . Even more recently, cost-optimal timed games 
have been proved decidable for one-clock priced timed games [BLMR06], and construction 
of almost-optimal strategies can be done. 

In this paper we focus on model-checking problems for priced timed automata with 
a single clock. On the one hand, we show that the model-checking problem with respect 
to WCTL is PSPACE-Complete under the "single clock" assumption. This is rather sur- 
prising as model-checking TCTL (the only cost variable is the time elapsed) under the same 
assumption is already PSPACE-Complete [LMS04] . On the other hand, we prove that the 
model-checking problem with respect to WMTL, the linear-time counterpart of WCTL, 
is decidable if we add the extra requirements that there is only one cost variable which 
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is stopwatch (i.e., with slopes in {0,1}). We also prove that those two conditions are 
necessary to get decidability, by proving that any slight extension of that model leads to 
undecidability. 

The paper is organized as follows: In Section [TJ we present the model of priced timed 
automata. Section [2] is devoted to the definition of WCTL, and to the proof that it is 
decidable when the model has only one clock. We propose an EXPTIME algorithm, which 
we then slightly modify so that it runs in PSPACE. Section [3] then handles the linear-time 
case: we first define WMTL, prove that it is decidable under the single-clock and single- 
stopwatch-cost assumptions, and that it is undecidable if we lift any of these restrictions. 

1. Preliminaries 

1.1. Priced Timed Automata. In the sequel, M+ denotes the set of nonnegative reals. 
Let X be a set of clock variables. The set of clock constraints (or guards) over X is defined 
by the grammar u g ::= x ~ c | g A g" where x G X, c G N and ~ G {<, <, =, >, >}. The 
set of all clock constraints is denoted B(X). That a valuation v. X — > satisfies a clock 
constraint g is defined in a natural way (v satisfies x ~ c whenever v(x) ~ c), and we then 
write v \= g. We denote by vo the valuation that assigns zero to all clock variables, by v + 1 
(with t G R+) the valuation that assigns v(x) + 1 to all x G X, and for R C X we write 
[R <— Q]v to denote the valuation that assigns zero to all variables in R and agrees with v 
for all variables in X \ R. 

Definition 1.1. A priced timed automaton (PTA for short) is a tuple A = (Q,qo,X, 
T, r], (C0Stj)i<i<p) where Q is a finite set of locations, qo G Q is the initial location, X 
is a set of clocks, T C Q x B{X) x 2 X x Q is the set of transitions, r\: Q — > B{X) defines 
the invariants of each location, and each COStj : Q U T — > N is a cost (or price) function. 

For 5 C N, a cost COStj is said to be S-sloped if COStj((5) C5. If 5 = {0, 1}, it is said 
stopwatch. If \S\ = n, we say that the cost COStj is n-sloped. 

The semantics of a PTA A is given as a labeled timed transition system = (S, sq, — >) 
where S C Q x M.* is the set of states, so = (<Zo>^o) is the initial state, and the transition 
relation —> Q S x (TU E + ) x 5 is composed of delay and discrete moves defined as follows: 

(1) (discrete move) (q,v) —> (q r , v') if e = (q,g,R,q') G E is s.t. w |= g, t/ = [i? <— 0]v, 
v' \= r](q'). The i-th cost of this discrete move is COStMq,v) (g 7 ,?/)) = COStj(e). 

(2) (delay move) (q,v) — > (g, u + t) if VO < i' < t, u + £' |= J?(<7). The i-th cost of this 
delay move is COStj((g, v) (q,v + t)) = t ■ COStj(g). 

t e 

A discrete move or a delay move will be called a simple move. A mixed move (q, v) (q , v ) 
corresponds to the concatenation of a delay move and a discrete move. For technical reasons, 
we only consider non-blocking PTAs, because we will further interpret logical formulas over 
infinite paths. The i-th cost of this mixed move is the sum of the i-th costs of the two 
moves. 

A finite (resp. infinite) run of a PTA is a finite (resp. infinite) sequence of mixed moves 
in the underlying transition system. A run of A will thus be distinguished from a path in T4, 
which is composed of simple moves and where stuttering of delay moves is allowed. Note 
however that a path in 7^4 is naturally associated with a run in A. The i-th cost of a run 
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g in A (resp. path g in T4) is the sum of the i-th costs of the mixed (resp. simple) moves 
composing the run (resp. path), and is denoted COStj(g). The length \g\ of a finite run 

tl,ei t2,e2 t n ,e n . . . . . ^ i i 

£> = so ► s i ► • ■ ■ > s n is A position along g is a nonnegative integer tt < \g\. 

Given a position it, q[tt] denotes the corresponding state s n , whereas g< n denotes the finite 
prefix of g ending at position tt, and g> n is the suffix starting in ir. 

Remark 1.2. In the model of priced timed automata, the cost variables only play the role 
of observers (they are history variables in the sense of [OG761 KT 88]): the values of these 
variables don't constrain the behaviour of the system (the behaviours of a priced timed 
automaton are those of the underlying timed automaton), but can be used as evaluation 
functions. For instance, problems such as "optimal reachability" [B FH + 0l~b~l lALPOlj . "op- 
timal infinite schedules" [BBL04j or "optimal reachability timed games" |ABM04l IBCFL041 
BBR05 , BBM06 have recently been investigated. The problem we consider in this paper 
is closely related to these kinds of problems: we will use temporal logics as a language for 
evaluating the performances of a system. 

1.2. Example. The PTA of Figure [TJ models a never-ending process of repairing problems, 
which are bound to occur repeatedly with a certain frequency. The repair of a problem has 
a certain cost, captured in the model by the cost variable c. As soon as a problem occurs 
(modeled by the Problem location) the value of c grows with rate 3, until actual repair is 
taking place in one of the locations Cheap (rate 2) or Expensive (rate 4). At most 20 time 
units after the occurrence of a problem it will have been repaired one way or another. 




Figure 2: Minimum cost of repair and associ- 
Figure 1: Repair problem as a PTA ated strategy in location Problem 

In this setting we are interested in properties concerning the cost of repairs. For instance, 
we would like to express that whenever a problem occurs, it may be repaired (i.e. reach the 
location OK) within a total cost of 47. In fact Figure [2] gives the minimum cost of repair 
— as well as an optimal strategy — for any state of the form (Problem, x) with x € [0, 10]. 
Correspondingly, the minimum cost of reaching OK from states of the form (Cheap, x) (resp. 
(Expensive, x)) is given by the expression 45 — 2x (resp. 60 — Ax). Symmetrically, we would 
like to express properties on the worst cost to repair, or to link the uptime with the (best, 
worst) cost of repairing. As will be illustrated later, extending temporal logics with cost 
informations provides a nice setting for expressing such properties. 
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2. Model Checking Branching-Time Logics 

We first focus on the case of branching-time logics. From this point on, AP denotes a 
fixed, finite, non-empty set of atomic propositions. We first define the cost-extended version 
of CTL. 

2.1. The Logic WCTL. The logic WCTL0 |BBR04| extends CTL with cost constraints. 
Its syntax is given by the following grammar: 

WCTL 3 Lp :•— a \ ->tp \ <pV<p | E^Ucost-cV I A^Ucost-cV 

where a E AP, cost is a cost function, c ranges over N, and ~ E {<, <, =, >, >}. 

We interpret formulas of WCTL over labeled PTA, i.e. PTA having a labeling function £ 
which associates with every location q a subset of AP. We identify each cost appearing in 
the WCTL formulas with the cost having the same name in the model (which is assumed 
to exist). 

Definition 2.1. Let A be a labeled PTA. The satisfaction relation of WCTL is defined over 
configurations (q, v) of A as follows: 

a E %) 

(q,v) \?= <p 

(q,v) \= if or (q,v) \= ip 
there is an infinite run g in A 
from (q,v) s.t. g \= (pli cost ^ c ip 
any infinite run g in A from (q, v) 
satisfies g \= <£>U CO st~cV' 
there exists a position ir > along g s.t. 
g[-7r] \= ip, for every position < ir' < ir, 
QW\ H an d COSt(£»< vr ) ~ c 
If A is not clear from the context, we may write A, (q, v) \= cp instead of simply (q, v) \= (p. 

As usual, we will use shorthands such as "true 44> a V -ia", "(ip =4> ip) 4^ -up V , 

"E F cos t^ c (/? 4^ E true Ucost^cV 9 " ; an d "AGcost^cV ^ """E Fcosi~c~"p" ■ Moreover, if the cost 
function COSt is unique or clear from the context, we may write ip\J^ c i[) instead of 9?U CO st~cV'- 
Finally, we omit to mention the subscript "~ c" when it is equivalent to "> 0" (thus 
imposing no real constraint). 

Example 2.2. We go back to our example of Section ll.2l That it is always possible to 
repair a problem with cost at most 47 can be expressed in WCTL with the following formula: 

AG (Problem => EF c < 47 OK). 

We can also express that the worst cost to repair is 56, in the sense that state Repair can 
always be reached within this cost: 

A G (Problem => A F c < 56 OK) . 





(q,v) \= a 


44> 




(q,v) (= -up 






(q,v) \=(pVip 






N E ^Ucost~c^ 






|= A^Ucost~c^ 






g \= 99Ucost~cV' 





^WCTL stands for "Weighted CTL", following 1S1SRI1 1" terminology. It would have been more natural 
to call it "Priced CTL" (PCTL) in our setting, but this would have been confusing with "Probabilistic 
CTL" |HJ94] . 
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Now, considering time as a special case of a cost (with constant slope 1), we can express 
properties relating the time elapsed in the OK state and the cost to repair: 

AG(-iE (OK U i > 8 (Problem A F C<30 OK))) . 

This expresses that if the system spends at least 8 (consecutive) time units in the OK state, 
then the next Problem can be repaired with cost at most 30. 

The main result of this section is the following theorem: 
Theorem 2.3. Model- checking WCTL on one-clock PTA is F 'SPACE- Complete. 

The PSPACE lower bound can be proved by a direct adaptation of the PSPACE- 
Hardness proof for the model-checking of TCTL, the restriction of WCTL to time con- 
straints, over one-clock timed automata [LMS04]. 

The PSPACE upper bound is more involved, and will be done in two steps: 

(1) first we will exhibit a set of regions which will be correct for model-checking WCTL 
formulas, see Section [2T2l 

(2) then we will use this result to propose a PSPACE algorithm for model-checking 
WCTL, see Section E3J 

Finally, it is worth reminding here that the model-checking of WCTL over priced timed 
automata with three clocks is undecidable [BBM06]. 

2.2. Sufficient Granularity for WCTL. The proof of Theorem 12.31 partly relies on the 
following proposition, which exhibits, for every WCTL formula a set of regions within 
which the truth of is uniform. Note that these are not the classical regions as defined 
in [AD944 IACD93| . because their granularity needs to be refined in order to be correct. 
Computing a sufficient granularity was already a key step for checking duration properties 
in simple timed automata [BES93J. 

Proposition 2.4. Let & be a WCTL formula and let A be a one-clock PTA. Then there 
exist a finite set of constants {ao, a n } satisfying the following conditions: 

• = ao < ai < . . . < a n < a n+ \ = +oo; 

• for every location q of A, for every < i < n, the truth of <1> is uniform over {(q, x) \ 
ai < x < a i+ i}; 

• {ao, ...,a n } contains all the constants appearing in clock constraints of A; 

• the constants are integral multiples of l/C^*) where h(&) is the constrained temporal 
height of i.e., the maximal number of nested constrained modalitie^ in <£, and C is 
the 1cm of all positive costs labeling a location of A; 

• a n equals the largest constant M appearing in the guards of A; 
Ln particular, we have n < M ■ C h ^ + 1. 

As a corollary, we recover the partial decidability result of [BBR04], stating that the 
model-checking of one-clock PTA with a stopwatch cosqj against WCTL formulas is decidable 
using classical one-dimensional regions of timed automata (i.e., with granularity 1). 

n 

With "constrained modality" we mean a modality decorated with a constraining interval different from 
(0,+oo). 

^J.e., cost with rates in {0, 1}. 
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Proof. The proof of this proposition is by structural induction on <£>. The cases of atomic 
propositions and boolean combinations are straightforward; unconstrained modalities re- 
quire no refinement of the granularity (the basic CTL algorithm is correct and does not 
need to refine the granularity); we will thus focus on constrained modalities. 

2.2.1. We first assume that A has no discrete costs, (i.e. COSt(T) = {0}), the extension to 
the general case will be presented at the end of the proof. 

► We first focus on the case when <3? = E i^Ucost^c^ (we simply write = E (p\J^ c ip, 
and assume that COSt is the only cost of A, as its other costs play no role in the problem). 
Assume that the result has been proved for the WCTL subformulas ip and ip, and that 
we have merged all constants for ip and ip: we thus have constants = oq < a\ < . . . < 
a n < a n+ \ = +00 such that for every location q of A, for every < i < n, the truth of ip 
and that of ip are both uniform over {(q,x) \ a% < x < aj+i}. By induction hypothesis, 
the granularity of these constants is l/C TOax W*')W)) = l/C h ^~ l . We will exhibit extra 
constants such that the above proposition then also holds for the formula $. For the sake 
of simplicity, we will call regions all elementary intervals (oi,aj+i) and singletons {ai}. 

In order to compute the set of states satisfying E ipU^ c ip, for every state (q, x) we 
compute all costs of paths from (q,x) to some region (q',r), along which ip always holds 
after a discrete action has been done, and such that a ^-state can immediately be reached via 
a discrete action from (q',r). We then check whether we can achieve a cost satisfying "~ c" 
for the mentioned ^-state. We thus first explain how we compute the set of possible costs 
between a state (q,x) and a region (q',r) in A. Indeed, for checking the existence of a run 
satisfying ip\J~ c ip, we will first remove discrete transitions leading to states not satisfying 
(p, and then compute all possible costs of runs from (q,x) to some (q',r), where (q',r) is a 
V'-state just reached by a discrete action, in the restricted graph. 

For each index i, we restrict the automaton A to transitions whose guards contain 
the interval (aj,Oj + i), and that do not reset the clock. We denote by Ai this restricted 
automaton. Let q and q' be two locations of Ai. As stated by the following lemma, the set 
of costs of paths between (q,cii) and (</, Oj+i) is an interval that can be easily computed: 

Lemma 2.5. We assume a, + i ^ +00. Let Si(q,q') be the set of locations that are reachable 
from (q,a.j) and co-reachable from (q',ai+i) in T Ai , and assume it is non-empty (i.e., there 
is a path joining those two states). Let and c^ x be the minimum and maximum 

costs among the costs of locations in Si(q,q'). Then the set of all possible costs of paths in 
T Ai going from (q, a*) to (q r , a i+1 ) is an interval ((a i+1 - a*) • c^ , (a i+1 - a;) • c^}. The 
interval is left-closed iff there exist two locations r and s (with possibly r = s) in Si(q, q') with 

cost c min such tha ^ 0?' a *) ( r , <h) ~*% (s,a i+ i), and (s,a i+1 ) -^* A . (q',a i+1 ). 

The interval is right-closed iff there exists two locations r and s in Si(q,q') with cost c^ x 
such that (q,ai) ~>* A , (r,aj), (r,Oj) -^* A . (s,a i+1 ), and (s,a i+1 ) ^* Aj (q',a i+1 ). 

The conditions on left/right-closures characterize the fact that it is possible to instanta- 
neously reach/leave a location with minimal/maximal cost, or if a small positive delay has 
to elapse (due to a strict guard). 



The notation a a' means that there is a path in 7^4; from a to a'. 
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Proof. Obviously the costs of all paths in from (q, ai) to (q f , a«+i) belong to the interval 
(cii + i — en) ■ [c,^ , c^ x ]. We will now prove that the set of costs is an interval containing 

/ \ / i.q.q' i,q,q'\ 



O maximal cost 




Figure 3: The set of costs between two states is an interval. 

Let T m i n (resp. r max ) be a sequence of transitions in Ai leading from (q,cii) to (q' ' ,a.i + \) 
and going through a location with minimal (resp. maximal) cost (see Figure [3]). Easily 
enough, the possible costs of the paths following r m \ n (resp. r max ) form an interval whose 
left (resp. right) bound is • (a i+l - a*) (resp. c^ x ■ (a i+l - ai)). 

Now, if c and d are the respective costs of q and q', then | • (c + d) ■ (aj + i — ai) is in 
both intervals. Indeed, the path following r m i n (resp. r max ) which delays \ ■ (aj+i — a,) time 
units in q, then directly goes to q' an d waits there for the remaining ^ • (a^i — a») time 
units achieves the above-mentioned cost. This implies that the set of all possible costs is 
an interval. 

The bound c^ 9 • (aj+i — a,) is reached iff there is a path from (q, a^) to ((/, a,i + \) which 
delays only in locations with cost chV^ . This is precisely the condition expressed in the 
lemma. The same holds for the upper bound c^ x ■ (ai+i — en). □ 

Similar results clearly hold for other kinds of regions: 

• between a state (q,a,i) and a region (q 1 , (ctj, di+i)) with aj + i / +oo, the set of possible 
costs is an interval (0, c 1 ^^ • (etj+i — a,)), where can be reached iff it is possible to 
go from (q,ai) to some state (q",di) co-reachable from (q',x) for some x G (aj,aj + i), 
and COSt(g") = 0. 

• between a state (q,x), with x £ (ai,Oj + i), and (g',aj + i), the set of costs is (a^+i — x) ■ 
(c^' 9 ,c^'1), with similar conditions as above for the bounds of the interval. 

• between a state (q,x), with x € (aj,aj + i), and region (q' , (ai, a^+i)) (assuming aj + i 7^ 

+cxd), the set of possible costs is [0, d^ x ■ (aj+i — x)); 

• between a state (q, a n ) and a region (q 1 , (a n , +00)), the set of possible costs is either [0, 0], 
if no positive cost rate is reachable and co-reachable, or (0, +00) otherwise. If the latter 
case, can be achieved iff it is possible to reach a state (q", a n ) with COSt(g") = 0; 

• between a state (q, x) with x € (a n , +00) and a region (q', (a n , +00)), the set of costs is 
either [0,0] or [0, +00), with the same conditions as previously. 

We use these computations and build a graph G labeled by intervals which will store 
all possible costs between symbolic states (i.e., pairs (q, r), where q is a location and r a 
region) in T4. Vertices of G are pairs (q, {ai}) and (q, (a^, Oj + i)), and tuples (q, x,{ai}) 
and (q, x, (a«, aj+i)), where q is a location of A. Their roles are as follows: vertices of the 
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form (g, x, r) are used to initiate a computation, they represent a state (g, x) with x £ r. 
States (g, {oj}) are "regular" steps in the computation, while states (g, (ai, are used 

either for finishing a computation, or just before resetting the clock (there will be no edge 
from (q, (aj,a i+ i)) to any (q',{a i+1 })). 
Edges of G are defined as follows: 

• (l-,{ a i\) ~^ (</j{ a i+i}) if there is a path from (q,ai) to (</, flj+i). This edge is then 



labeled with an interval ((ai+i — «i 



(a 



i+1 



c nia 9 )' ^ ne nature of the interval 



(left-closed and/or right-closed) depending on the criteria exposed in Lemma 12.51 

• (li{ a i}) ~^ (<l'>{ a i}) if there is an instantaneous path from (q,ai) to (g',aj) in A, the 
edge is then labeled with the interval [0, 0] (because we assumed there are no discrete 
costs on transitions of A). 

• (g, {oj}) — > (q', {ao}) if there is a transition in A enabled when the value of the clock is a% 
and resetting the clock. It is labeled with [0, 0]. 

• (q, (aj, ai+i)) — > (<?', {oo}) if there is a transition in A enabled when the value of the clock 
is in (aj,Oj+i) and resetting the clock. It is labeled with [0,0]. 

• (<2S { a i}) ~^ W i { a ii a i+i)) if there is a path from (q, a«) to some (q' , a) with en < a < aj + i. 
This edge is labeled with the interval (0, (a^+i — aj) • c^ x ). 

• (q, x,{di}) — > (g, {ai}) labeled with [0,0]. 

• (g, x, (ai, Qi+i)) — > (g',{ai+i}) if there is a path from some (g, a) with a, < a < dj+i 
to (g',a m ). This edge is labeled with (a i+ i - x) ■ {c^ ,c 4 ^). 

• (q,x, (ai,a i+ i)) -> (g', (ai,ai + i)) labeled with [0, (a m - x) • c^). 

Figure 2] represents one part of this graph. Note that each path tt of this graph is 
naturally associated with an interval l(tt) (possibly depending on variable x if we start from 
a node (q,x, (aj, aj+i))) by summing up all intervals labeling transitions of tt. 



q,x,{0} 



q',x,{0} 



q,x,{di} 



f(/,:j;,(a,;«., H 



q',x,{a,i} 



q',x,(ai;a i+ i) 



q,x,{a i+1 } 



q',x,{a i+1 } 



.... 






I 








ado} 








9.{ 


a-i} 






"i+i)] 






g,{a 


t+i} 





9',{0} 



q' ' ,{<H':<H+l) 



g'.K+i}) 



Figure 4: (Schematic) representation of the graph G (intervals labeling transitions have 
been omitted to improve readability) 

The correctness of graph G w.r.t. costs is stated by the following lemma, which is a 
direct consequence of the previous investigations. 

Lemma 2.6. Let q and q' be two locations of A. Let r and r' be two regions, and let a € r. 
Let d £ M + . There exists a path tt in G from a state (q,x,r) to (q',r') with l(tt)(ol) 3 d 
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if, and only if, there is a path in with total cost d, and going from (q,a) to some (q',(3) 
with (3 G r'. 

Corollary 2.7. Fix two regions r and r' . Then the set of possible costs of paths in G from 
(q,x,r) to (q',r') is of the form 

meN 

(possibly with (3 m and/or fi' m = ; and/or a' m = +00/ Moreover, 

• all constants a m and a' m are either integral multiples of l/C ma,x ^ h ^' h ^^ or +00, and 
constants (3 m and (3' m are either costs of the automaton or 0; 

• if r = (a n , +00), then f3 m = 0' m = for all m. 

Proof. Applying Lemma [2.61 the union of the costs of all paths in G from (q, x, r) to (q', r') 
represents the set of all possible costs of paths in Ta from (q, a) with a G r to some (</, f3) 
with (3 G r'. This set can be written as the countable union, for each m G N, of the costs of 
paths of length m in G, thus a countable union of (a finite union of) intervals. Now, any 
path in G contains at most one transition issued from a state (q, x, r). Thus, coefficients f3 m 
are either 0, or the cost of some location of A. 

Coefficients a m are then integral combinations of terms of the form c • (aj+i — a^) where 
c is the cost of some location. As all a^s are integral multiples of \/C Uia,x ^ h ^ ,h ^\ we 
get what we expected. The special form for the unbounded region is obvious from the 
construction of G. □ 

Lemma 2.8. For every location q, and for $ = Eip\J^ c ip G WCTL, the set of clock values x 
such that (q, x) satisfies Q is a finite union of intervals. Moreover, 

• the bounds of those intervals are integral multiples ofl/C^'; 

• the largest finite bound of those intervals is at most the maximal constant appearing in 
the guards of the automaton. 

Proof. The set of clock values x such that (q, x) satisfies E cp\J^ c ip can be written as 

[J {x G r I (q,x) \=E(p\J^ c ip}. 

r region 

There is a finite number of regions. For the unbounded region, the set of possible costs does 
not depend on the initial value of x, and thus either the whole region satisfies the formula, 
or no point in that region does. Fix a bounded region r, and x G r. Then, (q,x) \= E(p\Jip 
if, and only if there exists a path in J~A from (q, x) to some (q 1 , r') such that (i) a •(/'-state is 
immediately reachable from (q', r') by a discrete move, and (ii) along that path, all states 
traversed just after a discrete move satisfy ip. For each pair (q, r) leading to a ^-state, 
we can applying Corollary 12.71 on the graph just obtained after having removed discrete 
transitions not leading to a <£>-state. The set of possible costs of paths satisfying ip\Sip is 
then a (countable) union of the form \J m€ ^(o: m — (3 m ■ x, a' m — f3' m ■ x) with the constraints 
on constants described in the previous corollary. We assume that r = (aj,aj + i) and that 
the constraint ~ c is either < c, or < c, or = c (the other cases would be handled in a 
similar way). If a m — (3 m ■ aj > c, then the interval (a m — (3 m ■ x, a' m — f3' m ■ x) plays no role 
for the satisfaction of formula Eip\J^ c ip in the region r, we can thus remove this interval 
from the union. Now, f3 m is an integer which is either null or divides C. Thus as a m is an 
integral multiple of \/C rnax ^ h ^' h< ^'^ = \/C h ^~ l , left-most bounds of interesting intervals 
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can be a m — fim • x for finitely many a m 's and f3 m 's (with the further option closed or 
open). Fix some a and /3, and also fix some (5' . For two intervals (a — (3 ■ x, a' x — (3' ■ x) and 
(a — P ■ x, a' 2 — (3' ■ x) in the above union, it is sufficient to keep only the one with the largest 
a' (because the other is included in this interval). Thus, in the above countable union 
of intervals, we can select a finite union of intervals which will be sufficient for checking 
property E (£>U^ C V> in region r. 

We thus assume that the set of costs of paths which may witness formula <p\J^ c ip is a 
finite union (Jm=i( a ™ ~~ ' x i a 'm ~ P'm ' x ) with a m and a' m in N/C^*) -1 and j3 m and (3' m 
in (C/N* n N) U {0}. Now, the bounds a' { of the intervals of positions where $ holds should 
correspond to values of x where one of the bounds a m — (3 m ■ x or a' m — j3' m ■ x exactly equals c. 
It easily follows that those bounds a[ are integral multiples of \/C h ^\ as required. 

This proves that we get only finitely many new intervals, and that the largest constant 
is the same as for ip and ip (because of the initial remark on the unbounded region), thus it 
is the largest constant appearing in the automaton. □ 

This concludes the induction step for formula E (p\J^ c i(i when the automaton has no 
discrete cost. We will now handle the cases of the formulas EG> c false and EG =c false 
before giving several equivalences to handle all the other cases. 

► We now consider the formulas $ = EG =c false and = EG> c false: handling 
those modalities is sufficient for our proof, as we explain later. 

To handle those two formulas, we will extend the graph G defined previously for the 
initial automaton (with non-refined classical regions). We add to the graph G new "final" 
states which are triples (q,y,r) (we overline it to distinguish it from the initial states). 
Such a state has the same incoming transitions as the state (q, r), except that we will 
enforce the final value of the clock be y, and not any value in r. For instance, a transition 
(q,{chi}) — > (q', y, (aj, will be labeled by the interval (0, (y — Oj) • Cmax] (remember 

the construction of the graph on page [9]). From each of these new final states, we add an 
outgoing transition labeled by a finite union of intervals corresponding to all the costs of a 
single mixed move leading to a state from which infinite runs are possible. These intervals 
are either of the form (0, 7 • (b — y)), or of the form (7 • (a — y), 7 ■ (b — y)) where 7 is the 
cost rate of the corresponding state, and a, b are constants of the automaton. 

Now, we omit the details, but they are very similar to those for the original graph G. 
In this extended graph, the set of possible costs of paths in T4 from (q,x) to (q',y) cor- 
responds to the set of costs of paths in the new graph from (q, x, r) to (g' ; y, r') and is a 
countable union 



where a m and a' m are integers (or +00), and P m , (3' m , 7 m and 7^ are costs of the automaton 
or (result similar to Corollary 12.7ft . We can even be more precise: (3 m is either or the 
cost rate of q, whereas j3' m is the cost rate of q. Similarly, j m is either or the cost rate 
of q', and j' m is the cost rate of q' . 

A state (q, x) will satisfy the formula $ = EG =c false whenever there is a run g in A 
such that it can be decomposed into g = g± ■ Q2 ■ Q3 such that the cost of g\ is strictly less 
than c, the cost of g\ ■ £2 is strictly larger than c and £2 corresponds to a single mixed move. 
That is, whenever there exists a path from (q, x, r) to (q', y, r') of cost less than c s.t., when 
adding up the outgoing cost of a single mixed move, we get a cost larger than c. As in 
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Lemma 12.81 we can restrict the above union to a finite union, and we thus only need to 
solve finitely many linear systems of inequations. Then, we can analyze all possible cases 
for the bounds where the truth of $ changes, and as previously, we see that the granularity 
needs only to be refined by 1/C, hence the granularity which is required is 1/C (since we 
started from the classical region automaton, with non-refined constants). 

A state (q, x) satisfies E G> c f alse whenever there is an infinite run from (q, x) for which 
the cost of all its prefixes is strictly less than c (though the limit of these costs can be c 
itself). In such a run, there is a prefix of cost strictly less than c and from that point on, the 
cost of each mixed move is very close to (and indeed as close as we want to 0). We thus 
proceed as follows: we fix a location q and a region r. For every x and y, we compute the 
set of possible costs between (q,x) and (q,y) for x,y G r. This is a countable union 



after having simplified the previous union in which (3' m and j' m were both equal to the cost 
of location q. For each of the terms of the union, we distinguish between several cases: 

• if P m = j m = a m = 0, then there is a cycle which can be iterated from (q,r), and the 
global cost will be as small as we want. If the left-most bound of the interval is closed, 
then we can ensure a zero-cost, otherwise we cannot ensure a zero-cost. 

• if m = 7 m = but a m > 0, then there is no corresponding cycle that can be iterated 
without the cost to diverge. 

• if p m = but 7 m > is the cost of q, then the only chance to be able to iterate a cycle 
without paying too much is to choose y be the left-most point a of the region r. Then, 
either a m + 7 m • a = 0, in which case we can iterate a cycle, or a m + 7 m • a > 0, in which 
case we cannot iterate a cycle. 

• if (i m = but 7 m > is the cost of q, a similar reasoning can be done, but with the 
right-most bound b of r. 

• if P m = j m > is the cost of location q, then it is not difficult to check that a m is then 
not smaller than /3 m • (b — a) (this can be checked on the graph G). Hence, a corresponding 
cycle can only be iterated if a = b, and thus if r is a punctual region. 

The analysis of all these cases show that we only need to look at terms of the union such 
that a m — m • 6 + 7 m • a = 0, and either a = b, or the a m ■ p m ■ j m = 0. Moreover, for each 
such constraint, it is only necessary to look at one of the witnessing intervals. We see that 
this set of states is a set of regions (we do not need to refine the region: a whole region 
either satisfies the property, or does not satisfy the property). 

That way, we can compute the set of states Sq from which there exists an infinite run 
with a cost as small as possible (though possibly not zero). 

It remains to describe the set of states from which there is a finite path of cost strictly 
less than c and reaching a state of So. This can easily be done using the extended graph G 
we have presented above. 

► We now explain how we reduce all the other cases to the previous ones. 

We consider the case of formula A (p\J^ c t/j, still assuming that the automaton has no discrete 
costs. We prove this result by reducing to the previous case. We consider the region 
automaton of A w.r.t. constants (cij)o<i<n+i mentioned earlier (correct for subformulas <p 
and ip), we assume it is still a timed automaton (truth of formulas in the original automaton 
and in this region automaton is then equivalent). 




meN 
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We moreover assume that we have two copies of each state, labeled with two extra 
atomic proposition has_paid and can_have_not_paid which characterize when the last move 
had a positive cost, and when it could have no cost (for instance an instantaneous transition 
or a transition from a location where the cost rate is null). We denote the new automaton 
by A ex t, and give now a list of equivalences, not difficult to check, and useful for proving 
the induction step for formulas of the form A (p\J ^ c ip . 

• (q,x),A \= Aipli> c ifj iff (q,x),A (= A^Ut/; A AG< C (A<^U^) A AF> c true; 

• (q,x),A\= A(pU >c ip iff (q,x),A \= AipUip A AG< c (Aip\Jip) A AF >c true; 

• (q,x),A \= EG> c false iff (q, x), A \= E G> c f alse v E F< C E G(can_have_not_paid); 

• (q,x),A \= Aipli< c ilj iff (q, x),A |= Aipliip A A F< c ^; 

• (q,x),A \= EG< c ip iff (q,x),A ext \= EGip V E^U >c true; 

• (q,x),A \= Aip\J <c ip iff (q,x),A (= Aipliip AAF <c ip; 

• (q,x),A\=EG <c ip iff (q,x), A ex t \= EGip V E ^U> c true; 

• (q,x),A\= A(pU =c ip iff (q,x), A \= A (pU^ctp A AF =c ip; 

• (q, x), A \= E G =c ip iff 

(q, x), Aext 1= (E G =c f alse) v (E F =c (has_paid A ip A (E Gip v E V>Uhas_paid))); 
Those transformations (which do not increase fo(&)) are sufficient to lift the result to 
all the modalities of WCTL (under the assumption that we have no discrete costs). 

2.2.2. We now explain how we can prove the induction step of Proposition \2^\ for a formula 
$ = Eip\J^ c ip when the automaton has discrete costs on transitions. We will simplify the 
problem and reduce it to the computation of states satisfying a formula in an automaton 
without discrete costs. Then, applying the result proved for the automata without discrete 
costs, we will get the induction step. We note T the set of transitions of A that have a 
positive discrete cost. We unfold the automaton as follows: there is a copy of A for every 
integer smaller than or equal to c + 1. Copy of location q in the i-th copy is denoted q^y 
There is a transition from q^ to q'^ if: either i = j and there is a transition in A from q 
to q' not in T; or j = i + k < c + 1 and there is a transition in T with discrete cost k from 
q to g'; or j = p + 1, % + k > c + 1 and there is a transition in T with discrete cost k from q 
to q'. We note -4 U nf this unfolding. Then, 

(q,x),A\= E^lLcV- iff (9(o), a), Amf H V E <pU~c-i(4> A COpyJ 

j<p+i 

where COpy^ is an atomic proposition labeling all locations of A%. The correctness of this 
construction is obvious. Now, applying the induction hypothesis on automata with no 
discrete cost on transitions, the granularity of regions required for model-checking each 
formula is l/(7 max W^'^^ +1 , the granularity for the original formula in A is thus also 
1//C max(n( v )^(^))+i _ w hi c h proves the induction step also for automata with 

discrete costs on transitions. 

Finally, this extension to automata with discrete costs can be adapted to modalities of 
the form A U. We omit the tedious details. □ 

Remark 2.9. In the above proof, we have exhibited exponentially many constants aj's at 
which truth of the formula can change. We will show here that the exponential number 
of constants is unavoidable in general. Indeed, consider the one-clock PTA A displayed on 
Figure Using a WCTL formula, we will require that the cost is exactly 4 between a 
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Figure 5: The one-clock PTA A 



and b. That way, if clock x equals xq.x\X2X% . . . x n . . . (this is the binary representation of 
a real in the interval (0, 2)) when leaving a, then it will be equal to X1.X2X3 . . . x n . . . in b. 

We consider the WCTL formula <p(X) = E ((a V 6)U =0 (-a A E (^6U =4 (6 A X))fj , where X 

is a formula we will specify. Then formula ip(E F = oc) states that we can go from a to b 
with cost 4, and that x = when arriving in b (since we can fire the transition leading 
to c). From the remark above, this can only be true if x = or x = 1 in a. Now, consider 
formula </?(E F = oc V ip(EF = Qc)). If it holds in state a, then state c can be reached after 
exactly one or two rounds in the automaton, i.e., if the value of x is in {0,1/2,1,3/2}. 
Clearly enough, nesting (p n times characterizes values of the clocks of the form p/2 n ~ 1 
where p is an integer strictly less than 2 n . 



2.3. Algorithms and Complexity. In this section, we provide two algorithms for model- 
checking WCTL on one-clock PTA. The first algorithm runs in EXPTIME, whereas the 
second one runs in PSPACE, thus matching the PSPACE lower bound. However, it is 
easier to first explain the first algorithm, and then reuse part of it in the second algorithm. 
Finally, we will pursue the example of Subsection 1 1 . 2 1 for illustrating our PSPACE algorithm. 

2.3.1. An EXPTIME Algorithm. The correctness of the algorithm we propose for model- 
checking one-clock PTA against WCTL properties relies on the properties we have proved 
in the previous section: if A is an automaton with maximal constant M, writing C for the 
l.c.m. of all costs labeling a location, and if $ is a WCTL formula of constrained size n (the 
maximal number of nested constrained modalities), then the satisfaction of is uniform on 
the regions (m/C n ; (m + 1)/C n ) with m < M ■ C n , and also on (M; +00). The idea is thus 
to test the satisfaction of $ for each state of the form (q, k/2C n ) for < k < (M ■ 2C n ) + 1 
{i.e. at the bounds and in the middle of each region). 

To check the truth of $ = Ei^Ucost^cV' i n state (q,x) with x = k/2C n , we will non- 
deterministically guess a witness. Using graph G that we have defined in Section 12.21 we 
begin with proving a "small witness property" : 

Lemma 2.10. Let s be the smallest positive cost in A, and C be the 1cm of all positive 
costs of A. Let q be a location of A, and x € M + . Let $ = E(p\J^ c ip be a WCTL formula of 
size n. Then (q,x) \= $ iff there exists a run in A, from (q,x) and satisfying ip\J^ c ^, a nd 
whose projection in G visits at most N = \_c ■ C n /s\ + 2 times each state of G. 

Proof. Let r be a run in A, starting from (q,x) (with x = k/2C n for some k) and sat- 
isfying (p\J^ c ip. To that run corresponds a path g in the region graph, starting in (q,x). 
Consider a cycle in that path g: either it has a global cost interval [0, 0], in which case it can 
be removed and still yields a witnessing run; or it has a global cost interval of the form (a, b) 
with b > 0. In that case, letting s be the smallest positive cost of the automaton, we know 



MODEL CHECKING ONE-CLOCK PRICED TIMED AUTOMATA* 



15 



that b > s/C n . Now, if some state of G is visited (strictly) more than N = \c • C n /s\ + 2 
times along g, we build a path g' from g by removing extraneous cycles, in such a way 
that each state of G is visited at most N times along g (and that g starts and ends in the 
same states). Since we assumed that g does not contain cycles with cost interval [0;0], we 
know that the upper bound of the accumulated cost along g' is above c. Also, the lower 
bound of the accumulated costs along g' is less than that of g. Since g "contains" a run 
witnessing p\J^ c ip, the cost interval of g contains a value satisfying ~ c, thus so does the 
cost interval of g' . In other words, g' still contains a path witnessing <p\J^ c ip. This path can 
easily be lifted to a run in A satisfying the formula (pU^cip- D 

Since a transition in G may correspond to a linear sequence of transitions in A, we 
know that if (q,x) \= E<p\J^ c ip, then there exists a witness having at most exponentially 
many transitions in A. 

We now describe our algorithm: assuming we have computed, for each state q of A, the 
intervals of values of x where (p (resp. tp) holds, we non-deterministically guess the successive 
states of a path in A, checking that tp holds after each action transition and that the path 
reaches a ^-state after an action transition and with cost satisfying ~ c. This verification 
can be achieved in PSPACE (and can be made deterministic as PSPACE = NPSPACE). 
Since we apply this algorithm for each state (q,k/2C n ) with < k < (M ■ 2C n ) + 1, our 
global algorithm runs in deterministic exponential time. 

It is immediate to design a similar algorithm for formulas EG> c false and EG =c false. 
The other existential modalities are handled by reducing to those explained in 

Section O 

2.3.2. A PSPACE Algorithm. The PSPACE algorithm will reuse some parts of the previous 
algorithm, but it will improve on space performance by computing and storing only the 
minimal information required: instead of computing the truth value of each subformula in 
each state (q,k/2C n ), it will only compute the information it really needs. Our method 
is thus similar in spirit to the space-efficient, on-the-fly algorithm for TCTL presented 
in |HKV96j . 

We will then need, while guessing a witness for E v^Ucost^cV'; to check that all inter- 
mediary states reached after an action transition satisfy formula (p. As tp might be itself 
a WCTL formula with several nested modalities, we will fork a new computation of our 
algorithm on formula <p from each intermediary state. The maximal number of threads 
running simultaneaously is at most the depth of the parsing tree of formula <£. When a 
thread is preempted we only need to store a polynomial amount of information in order 
to be able to resume it. Indeed, it is sufficient to store for each preempted thread a triple 
(a, K, I) where a is a node of the region graph, K records the number of steps of the path 
we are guessing (we know that when Eipli^cip holds, an exponential witness exists), and 
/ is an interval corresponding to the accumulated cost along the path being guessed. 

The algorithm thus runs as follows: we start by labeling the root of the tree by a = 
(q, x,r), K = and / = [0; 0]. Then we guess a sequence of transitions in the region graph, 
starting from (q,x,r); when a new state (q',r') is added, we increment the value of K and 
update the value of the interval, as described in the previous section. If we just fired an 
action transition, then either we fork an execution for checking that <p holds, or we check 
that the constraint COSt ~ c can be satisfied by the new interval and we verify that the new 
state satisfies ip (by again forking a new execution). 
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The number of nested guesses can be bounded by the depth of the parsing tree of <£, 
because when a new thread starts, it starts from a node in the parsing tree that is a child 
of the previous node. Thus, the memory needed in this algorithm is the parsing tree of 
formula <I> with each node labeled by a tuple which can be stored in polynomial space. This 
globally leads to a PSPACE algorithm. 

Example 2.11. We illustrate our PSPACE algorithm on our initial example, with for- 
mula $ = -.E(OK Ui< 8 (Problem A -€ F C<30 OK)). We write g = 1/C 2 for the resulting 
granularity as defined in Prop. [2~H and consider a starting state, e.g. (OK, x = mg). 



(OK, x, r) 
step : 
cost : [0, 0] 

\ 

(OK,z,r) 
step : b Ut<8 
cost : [0, 0] ~~ 

' / \ 

(OK,*,!-) n[< . 

step : A 

cost : [0, 0] / \ 



Problem 



E U c< 3o 



(OK,x,r) 
step : 

cost : [0, 0] ~~ ' 
i 

(OK, {* + <,}) 

step : 1 b Ut<8 

cost : [g,g] ~ 

1 I \ 

(OK,{x + g}) nu . \ 
step : A 

cost : [0, 0] / \ 



Problem 



EU 



t<8 



(OK, x. r) 
step : 
cost : [0, 0] 

\ 

(Problem, {x + kg}) 
step : k 



OK 



cost : [kg, kg] 

\ 

\ (Problem, {x + kg}) 
A step : 
/ v cost : [0, 0] 

\ \ 



Problem 



E U c< 3o 



E U c <3o 



T OK 



T OK 



T OK 



Figure 6: Execution of our PSPACE algorithm on the initial example. 



Figure [6] shows three steps of our algorithm. The first step represents the first iteration, 
where subformula OK is satisfied at the beginning of the run. At step 2, the execution 
goes to (OK, re + g): we check that the left-hand-side formula still holds in (OK, x + g) (as 
depicted), but also in intermediary states. The third figure corresponds to k steps later, 
when the algorithm decides to go to the right-hand-part of E Uj<8- In that case, of course, 
it is checked that kg < 8, and then goes on verifying the second until subformula. 



3. Model-checking linear-time logics 

We now turn to the case of linear-time temporal logics. We begin with the definition 
of our logic WMTL. 

3.1. The Logic WMTL. The logic WMTL is a weighted extension of LTL, but can also 
be viewed as an extension of MTL |Koy90| , hence its name WMTL, holding for "Weighted 
MTL" . 

The syntax of WMTL is defined inductively as follows: 

WMTL 3 ip ::= a \ -193 | ip V if \ v?U CO st~c < / ? 
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where a G AP, COSt is a cost function, c ranges over N, ~ € {<, <, =, >, >}. If there is a 
single cost function or if the cost function cost is clear from the context, we simply write 
V?IL C ^ for c^Ucost-cV'- 

We interpret WMTL formulas over (finite) runs of labeled PTA, identifying each cost 
of the formula with the corresponding cost in the automaton. 

Definition 3.1. Let A be a labeled PTA, and let g = (qo, vq) n ' 6l > (gi, v±) ■ ■ ■ P ' P > (q p , v p ) 
be a finite run in A. The satisfaction relation for WMTL is then defined inductively as 
follows: 

q \= a <3> a G £(qo) 
Q 1= ^ ^ Q V= V 

Q \= tpi V tp 2 O £ H Vl Or £> |= (p 2 
Q \= tpiUcQsl~c<P2 30 < 7T < \q\ S.t. |= 992, V0 < 7r' < 7T, |= 

and COSt(^< 7r ) ~ c. 

Example 3.2. Back on our example of Figure [JJ we can express that there is no path from 
OK back to itself in time less than 10 and cost less than 20. This is achieved by showing 
that no path satisfies the following formula: 

OKU (Problem A (-.OK) \J X < W OK A (^OK) U C < 20 OK). 

As we will see, model-checking WMTL will in fact be undecidable when the automaton 
involves more than one cost. 

Remark 3.3. Classically, there are two possible semantics for timed temporal logics [Ras99j : 
the continuous semantics, where the system is observed continuously, and the point-based 
semantics, where the system is observed only when the state of the system changes. We 
have chosen the latter, because the model checking problem for MTL under the continuous 
semantics is already undecidable [AH90] , whereas the model-checking under the point-based 
semantics is decidable over finite runs [OW05J. 

We study existential model-checking of WMTL over priced timed automata, stated as: 
given a one-clock PTA A and a WMTL formula tp, decide whether there exists a finite run g 
in A starting in an initial state and such that g (= ip. Since WMTL is closed under negation, 
our results obviously extend to the dual problem of universal model-checking. 

We prove that the model-checking problem against WMTL properties is decidable for: 

(1) one-clock PTA with one stopwatch cost variable. 

Any extension to that model leads to undecidability. Indeed, we prove that the model- 
checking problem against WMTL properties is undecidable for: 

(2) one-clock PTA with one cost variable, 

(3) two-clock PTA with one stopwatch cost variable, 

(4) one-clock PTA with two stopwatch cost variables. 

We present our results as follows. In Section [3T2l we explain the positive result ([JJ using 
an abstraction proposed in [OW05| for proving the decidability of MTL model checking over 
timed automata. Then, in Section 13.31 we present all our undecidability results, starting 
with the proof for result ([2]), and then slightly modifying the construction for proving 
results © and (gj). 
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3.2. Decidability of WMTL for One-Clock PTA With One Stopwatch Cost. 

Theorem 3.4. Model checking one-clock PTA with one stopwatch cost against WMTL prop- 
erties is decidable, and non-primitive recursive. 

Proof. Time can be viewed as a special {l}-sloped cost. Hence, the non-primitive recursive 
lower bound follows from that of MTL model checking over finite timed words, see [OW05t 
IOW07] . 

The decidability then relies on the same encoding as |OW05j . We present the construc- 
tion, but do not give all details, especially when there is nothing new compared with the 
above-mentioned paper. 

Let <p be a WMTL formula, and A be a single-clock PTA with a stopwatch cost. Clas- 
sically, from formula <p, we construct an "equivalent" one-variable alternating timed au- 
tomator0 B v . Figure [7] displays an example of such an automaton, corresponding to for- 
mula G[a =^ (F<3& V F>2c)] (see [OW05] for more details on alternating timed automata). 




Figure 7: A timed alternating automaton for formula G[a =^ (F<3?> V F>2c)] 

However, note that in that case, the unique variable of the alternating automaton is 
not a clock but a cost variable, whose rate will depend on the location of A which is being 
visited. However, as for MTL, we have the property that A \= (p iff there is an accepting 
joint run of A and B v . 

In the following, we write q for a generic location of A and I for a generic location of 
Bp. Similarly, Q denotes the set of locations of A and L the set of locations of B v . 

An A/B^-joint configuration is a finite subset of Q x M>q U L x M>q with exactly one 
element of Q x M>o (the current state in automaton .4). The joint behaviour of A and B v is 
made of time evolutions and discrete steps in a natural way. Note that, from a given joint 
configuration 7, the time evolution is given by the current location g 7 of A: if the cost rate 
in q-y is 1, then all variables behave like clocks, i.e., grow with rate 1, and if the cost rate in 
q 7 is 0, then all variables in B v are stopped, and only the clock of A grows with rate 1. 

We encode configurations with words over the alphabet T = 2( ( 2 xRe 9 uZ/XRe 9), where 
Reg = {0, 1, . . . , M} U {T} (M is an integer above the maximal constant appearing in both 
A and Bp). A state (£, c) of B^ will for instance be encoded by (£, int(c)) □ if c < M, and 
it will be encoded by (£, T) if c > M. 

Now given a joint configuration 7 = {(q,x)} U {(^,q) | i G /}, partition 7 into a 
sequence of subsets 70, 71, ... , J p , 7t> such that 77 = {[a, (3) £ 7 | /3 > M}, and if i, j ^ T, 
for all (a, (3) G 7^ and (a',/3') G jj, frac(/3) < frac{(3') iff i < j (so that (a, (3) and 
are in the same block 7^ iff (3 and (3' are both smaller than or equal to M and have the same 

^We use the eager semantics BMOW07 for alternating automata, where configuration of the automaton 
always have the same sets of successors. 
®int represents the integral part. 
frac represents the fractional part. 
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fractional part). We assume in addition that the fractional part of elements in 70 is (even 
if it means that 70 = 0), and that all 7$ for 1 < i < p are non-empty. 

If 7 is a joint configuration, we define its encoding H(j) as the word (over T) 

reg( 7o )reg( 7 i) . . . reg( 7p )reg(7 T ) 

where reg(7j) = {(a, reg(/?)) [ (a,/?) g 7J with reg(/3) = int(J3) if /? < M, and reg(/?) = T 
otherwise. 

Example 3.5. Consider the configuration 

7 = {(q, 1.6)} U {(4, 5.2), (4,2.2), (4, 2.6), (4, 1-5), (4, 4.5)}. 

Assuming that the maximal constant (on both A and i?^) is 4, the encoding is then 

(7) = {(4, 2)} • {(4, 1)} • {(9, 1), (4,2)} • {(4, T), (4, T)} 

We define a discrete transition system over encodings of ^4/jB^-joint configurations: 
there is a transition W => W if there exists 7 G ff _1 (iy) and 7' <G ff _1 (M^') such that 
7 — > 7' (that can be either a time evolution or a discrete step). 

def 

Lemma 3.6. The equivalence relation = defined as 71 = 72 O Hyyi) = #(72) is a time- 
abstract bisimulation over joint configurations. 

Proof. We assume 71 — > 7J and 71 = 72. We write H(^\) = #(72) = w^wi • • • w p wt where 
Wi 7^ if 1 < i < p. We distinguish between the different possible cases for the transition 
71 -> 7i- 

• assume 71 — > 7J is a time evolution, and the cost rate in the corresponding location of A 
is 0. If 71 = {(g-i,xi)}U{(4,i,c i)1 ) I i G Ji}, then 7 J = xi + t l )} U {(4,1, Q,i) \ i€h} 
for some ti G M>o- We assume in addition that 72 = {(92,^2)} U {(^,2,^,2) | « G Xa}- 

We set 71 the part of configuration 71 which corresponds to letter Wi, and we write a\ 
for the fractional part of the clock values corresponding to 7J. We have = a\ < a\ < 
. . . < Qj < 1. We define similarly (a 2 )o<i<p for configuration 72. We then distinguish 
between several cases: 

— either x\ + 1\ > M, in which case it is sufficient to choose £2 G M>o such that X2 + *2 > 
M. 

— or xi + ti < M and frac{x\ + t\) = a\ for some < i < p. In that case, choose 
*2 = ^1 + *i — oi\ + a % 2 — X2- As 71 = 72, it is not difficult to check that t2 G M>o- 
Moreover, frac(x2 + £2) = ol\ and int(x,2 + £2) = int{x\ + ti). 

— or a;i+ti < M and a| < frac{x\-\-tx) < for some < i < p (setting a^ +1 = 1). As 
previously, in that case also, we can choose ti G M>o such that a l 2 < frac(x2+t2) < Oi^ 1 
and int(x2 + t^) = int{x\ + t\). 

In all cases, defining 7 2 = {{q2,x 2 + £2)} U {(^,2,^,2) j i G h}, we get that 72 — > 7 2 and 
7l =72' w hich proves the inductive case. 

• there are two other cases (time evolution with rate of all variables being 1, and discrete 
step), but they are similar to the case of MTL, and we better refer to |OW07j . □ 

Hence, from the previous lemma, we get: 

Corollary 3.7. W W iff there exists G H~ 1 (W) andi G H~ 1 (W) such that'j ^* 7'. 

The set T = 2( < 2 xRe 9 uLxRe 9) is naturally ordered by inclusion C. We extend the classical 
subword relation for words over T as follows: Given two words a$ai . . . a n and OqO^ . . . a! , 
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in r*, we say that a^ai ...a n Q flo a 'i • • • a 'n' whenever there exists an increasing injection 
l : {0,1, ... ,n} — ► {0, 1, ... , n'} such that for every i € {0, 1, ... , n}, a, C a'^y Follow- 
ing [ANOOl Theorem 3.1], the preorder C is a well-quasi-order. 

Lemma 3.8. Assume that W\ Q W2, and that W% =>* W 2 - Then, there exists W{ C W 2 
such that Wi W[. 

The algorithm then proceeds as follows: we start from the encoding of the initial 
configuration, say Wo, and then generate the tree unfolding of the implicit graph (T*,=>), 
stopping a branch when the current node is labelled by W such that there already exists 
a node of the tree labelled by W with W' C W (note that by Lemma 13.81 if there is an 
accepting path from W, then so is there from W', hence it is correct to prune the tree after 
node W). Note that this tree is finitely branching. Hence, if the computation does not 
terminate, then it means that there is an infinite branch (by Konig lemma). This is not 
possible as C is a well-quasi-order. Hence, the computation eventually terminates, and we 
can decide whether there is a joint accepting computation in A and B v , which implies that 
we can decide whether A satisfies ip or not. □ 

Remark 3.9. In the case of MTL, the previous encoding can be used to prove the decidabil- 
ity of model checking for timed automata with any number of clocks. In our case, it cannot: 
Lemma 13.61 does not hold for two-clock PTA, even with a single stopwatch cost. Consider 
for instance two clocks x and z, and a cost variable COSt. Assume we are in location q of 
the automaton with cost rate and that there is an outgoing transition labelled by the con- 
straint x = 1. Assume moreover that the value of z is 0, whereas the value of x is 0.2. We 
consider two cases: either the value of COSt is 0.5, or the value of COSt is 0.9. In both cases, 
the encoding^ of the joint configuration is {(q, z, 0)} • {(q, x, 0)} • {(cost, 0)}. However, in the 
first case, the encoding when firing the transition will be {(q, x, 1)} • {(cost, 0)} • {(q, z, 0)}, 
whereas in the second case, it will be {(q, x, 1)} • {(q, z, 0)} • {(cost, 0)}. Hence the relation 
= is not a time-abstract bisimulation. 

Remark 3.10. Let A be a PTA with a stopwatch cost. From the construction using encod- 
ings by words we have presented above, we see that truth of WMTL formulas is invariant 
by classical regions (by classical regions, we mean one-dimensional regions with granular- 
ity 1): indeed, in the above construction, it suffices to change the initial configuration with 
the encoding of the region we want to start from, and applying the previous results, we 
immediately get that the truth of the formula will then not depend on the precise initial 
value of the clock. As a consequence, the model checking of WCTL* H is decidable (and 
non-primitive recursive) for PTA with a single stopwatch cost: it suffices to label regions 
(in the classical sense) with the WMTL subformulas they satisfy. Let us mention right 
now that the undecidability results below directly extend to WCTL*, so that again, any 
extension of the model leads to undecidability. 

3.3. Undecidability Results. In this part, we prove that the above result is tight, in the 
sense that adding an extra stopwatch cost ot removing the "stopwatch" condition yields 
undecidability. 



'We extend the encoding we have presented above to several clocks, as originally done in [OW05] . 
'WCTL* is the extension of CTL* C ES86| with cost constraints. We omit its definition. 
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3.3.1. One-Clock PTA With One Cost Variable. 

Theorem 3.11. Model checking one-clock PTA with one (general) cost against WMTL 
properties is undecidable. 

We push some ideas used in [BBM06 , BLM07] further to prove this new undecidability 
result. We reduce the halting problem for a two-counter machine Ai to that problem. The 
unique clock of the automaton will store both values of the counters. If the first (resp. 
second) counter has value c\ (resp. C2), then the value of the clock will be 2 _C1 3 _C2 . Our 
machine Ai has two kinds of instructions. The first kind increments one of the counter, 
say c, and jumps to the next instruction: 

p ± : c := c + 1; goto p-j. (3.1) 

The second kind decrements one of the counter, say c, and goes to the next instruction, 
except if the value of the counter was zero: 

Pi : if (c == 0) then goto pj else c := c — 1; goto p k . (3-2) 

Our reduction consists in building a one-clock PTA Am and a WMTL formula ip such 
that the two-counter machine Ai halts iff Am has a run satisfying ip. Each instruction 
of Ai is encoded as a module, all the modules are then plugged together. 

Module for instruction (|3.ip . Consider instruction (|3.1|) . which increments the first counter. 
To simulate this instruction, we need to be able to divide the value of the clock by 2. The 
corresponding module, named Modj, is depicted on Figure [80 



- to Mod, 

'i 



Figure 8: Module for incrementing c\ 

The following lemma is then easy to prove: 

Lemma 3.12. Assume that there is a run g entering module Modi with x = xq < 1, exiting 
with x = x\, and such that no time elapses in A and D and the cost between A and D 
equals 3. Then x\ = xq/2. 

A similar result can be obtained for a module incrementing C2- it simply suffices to 
replace the cost rate in C by 3 instead of 2. 

Module for instruction (|3.2[) . The simulation of this instruction is much more involved than 
the previous instruction. Indeed, we first have to check whether the value of x when 
entering the module is of the form 3~ C2 {i.e., whether c\ = 0). This is achieved, roughly, by 
multiplying the value of x by 3 until it reaches (or exceeds) 1. Depending on the result, this 
module will then branch to module Mod, or decrement counter c\ and go to module Mod^. 
The difficult point is that clock x must be re-set to its original value between the first and 
the second part. We consider the module Modj depicted on Figured 



*<i^ A x<l x =l p-s +2 A\ x<l 

—\ — < 1 j — ' B- -^<iy- 



io A 

s there is a unique cost variable, we write its rate within the location, and add a discrete incrementation 
{e.g. +2) on edges, when the edge has a positive cost. 
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Figure 9: Module testing/decrementing c\ 



Lemma 3.13. Assume there exists a run g entering module Modi with x = xq < 1, exiting 
to module Modj with x = x\, and such that 

• no time elapses in Aq, Cq, D, A, C , F\ and H\; 

• any visit to Cq or C is eventually followed (strictly) by a visit to C or F\; 

• the cost exactly equals 3 along each part of g between A or Aq and the next visit in D, 
between Cq or C and the next visit in C or F\, and between the last visit to D and H\. 

Then x\ = xq and there exists n G N s.t. xq = 3~ n . 

Proof. Let g be such a run. First, if xq = 1 and g goes directly to module Modj, then the 
result immediately follows. 

Otherwise, g visits D at least once. We prove inductively that, at the fc-th visit in D, 
the value of x equals 3 k xo (remember that no time can elapse in D). The first part of g 
between Aq and D is as follows^]] (the labels on the arrows represent the cost of the corre- 
sponding transition): 

(A ,xq) ± (Bq,x ) (B ,l) - (C ,0) ^ (C,0) A (O) ^> (D,a). 

The total cost, 3(1 — xq) + a, must equal 3. Thus a = 3xq. A similar argument shows that 
one turn in the loop (from D back to itself) also multiplies clock x by 3, hence the result. 
Since g eventually fires the transition from D to Ei, it must be the case that xq = 3~ n for 
some n G N. 

We now prove that x\ = xq. The proof follows a similar line: we prove that at the k-th 
visit to Cq or C', the value of x is (3 fc — 3)xq. This clearly holds when k = 1 (i.e., when we 
visit Co). Assuming that g eventually visits C, we consider the part of g between Co and 
the first visit to C: 

(C ,0) ^ (C,0) ^ (C,3x ) ^> (A3x ) ^ {A,3xq) ^ (B,3x ) 

(j B 5 3 X0 ) ^Z^h (B,l) °> (C,0) A (C/3) ± ( c',/3). 

The cost of this part is 3 — 6xq + (3, and must equal 3. Thus (5 = Qxq as required. A similar 
computation (considering each part of g between two consecutive visits to C') proves the 
inductive case. 



By contradiction, it can be proved that C" cannot be visited along that part of g, since the cost 
between Co and C must be exactly 3. 
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Now, consider the part from the last visit of C to H±: 
(C, (T - 3)x ) ± (C, (3™ - 3)s ) ^ (C, 3 n x ) - (D, 3 n x ) - (E 1: 0) 

(E u 0) (£ 1)7 ) ^ (Fi, 7 ) ^ (Gi,0) ^ (G a ,5) ^ (F X , 5). 

Remember that 3 n xo = 1, which explains why the computation goes to E\ instead of E2). 
The cost between C and F\ is 3>xq + 37, and equals 3. Thus 7 = 1 — xo- Similarly, the cost 
between D and Hi is 37 + 3<5 and must equal 3, which proves that 5, which is precisely x\, 
equals xq. □ 

We have a similar result for a run going to module Mod^: 

Lemma 3.14. Assume there exists a run g entering module Modi with x = xq < 1, exiting 
to module Modk with x = x\, and such that 

• no time elapses in Aq, Co, D, A, C' , F2 H2, A2 and D2; 

• any visit to Co or C is eventually followed (strictly) by a visit to C or F2; 

• the cost exactly equals 3 along each part of g between A or Aq and the next visit in D, 
between Co or C and the next visit in C or F2, between the last visit to D and H2, and 
between H2 and D2 ■ 

Then x\ = 2xq and for every n 6 N, xq 7^ 3 _n . 

Proof. The arguments of the previous proof still apply: the value of x at the /c-th visit 
to D is 3 fc xo- If £0 had been of the form 3~ n , then g would not have been able to fire the 
transition to E2. Also, the value of x when g visits H2 is precisely xq. The part from H2 
to D is then as follows: 

(H 2 ,x ) ± (A 2 ,x ) ± (B 2 ,x ) (B 2 ,l) - (C 2 ,0) A (C 2 ,k) - (D 2 ,k). 

The cost of this part is 2(1 — xo) + « + 1, so that x\ = k = 2xo. □ 

Again, these results can easily be adapted to the case of an instruction testing and 
decrementing C2- it suffices to 

• set the costs of states Bq, B, E\, E2, G\ and G2 to 2, 

• set the cost of B2 to 3, 

• set the discrete cost of C2 — > D2 to 

• set the discrete costs of C — > D, G\ — > H\ and G 2 — * H2 to +1. 

Global reduction. We now explain the global reduction: the automaton Am is obtained by 
plugging the modules above following the instructions of A4. There is one special module 
for instruction Halt, which is made of a single Halt state. We also add a special initial state 
that lets 1 t.u. elapse (so that x = 1) before entering the first module. 

The WMTL formula is built as follows: we first define an intermediary subformula 
stating that no time can elapse in some given state. It writes zero(P) = G(P=> (PU = o _, -P)). 
If the local cost in state P is not zero (which is the case in all the states of «4m), this formula 
forbids time elapsing in P. We then let tpx be the formula requiring that time cannot elapse 
in a state labelled with A, D, Aq, Co, C, iq, F2 Hi, H2, A2 and D2. It remains to express 
the other conditions of Lemmas I3.12| 13.131 and 13.141 We write ip2 for the corresponding 
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formula, 
follow^ 



For instance, the conditions of Lemmas 13.131 and 13.141 would be expressed as 



G 



A A MOCldecr 



(AvA )^(- 
(C V C) (■ 
(D A -iDUHx] 



DU =3 D) A 

i(C" V Fi)U = 3(C" V Fi)) A 
(-iTxlUffi) 

V 

nZ?U =3 -D) A 



/ (A V A ) = 

(Co V C) (-.(C V F 2 )U =3 (C" V F 2 )) A 
(D A ^D\JH 2 ) (^H 2 U =3 H 2 ) A 
\ H2 (^D 2 U =3 D 2 ) 

The following proposition is now straightforward: 

Proposition 3.15. The machine Ad halts iff there exists a run in Am satisfying ipi/\ip 2 f\ 
FHalt. 

Remark 3.16. • For the sake of simplicity, our reduction uses discrete costs, so that our 
WMTL formulas only involve constraints "= 0" and "= 3" (and the same formula (p 2 
can be used for both counters). But our undecidability result easily extends to automata 
without discrete costs. 

• Our reduction uses a {1, 2, 3}-sloped cost variable, but it could be achieved with any 
{p, q, r}-sloped cost variable (with < p < q < r, and p, q and r are pairwise coprime) 
by encoding the values of the counters by the clock value (p/q) 01 ■ (p/r) C2 . 

• Our WMTL formula can easily be turned into a WMITL formula (whose syntax is that 
of MITL [AFH96], i.e., with no punctual constraints). It suffices to replace formulas of 
the form (-ip)U =n p with (-ip)U< n p A (^p)U> n p. 



3.3.2. Two-Clock PTA with One Stopwatch- Cost Variable. While this case does not fit in 
our "one-clock" setting, it is an interesting intermediate step between the previous and the 
next results. 

Theorem 3.17. Model checking two- clock PTA with one stopwatch cost against WMTL 
properties is undecidable. 

Proof. The proof uses the same encoding, except that states with cost 2 or 3 are replaced 
by sequences of states with costs and 1 having the same effect. We have two different 
kinds of states with cost 2 (or 3): 
• those in which we stay until x = 1: 

A x<\ ^ c 



x:=0 



These states are replaced by the following submodule: 

A T<1 B B B C 

, _ X^L X = l , ^ 2 = 1 , \ X = l r - 

, -*{i — Jo — — — 4ip h 

2: =0 ^— J x:=0 l — J z:=0 ^— J x:=0 v -' 



12 The atomic proposition Moddccr is used to indicate that we are in a module decrementing one of the 
counters. It implicitly labels all the states of such modules. 
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A simple computation shows that both sequences have the same effect on clock x and 
induce the same cost. Of course, the case of cost 3 is handled by adding one more pair 
of states with costs and 1. 

those in which we enter with x = (and exit with x < 1): 



A B X<1 P- 



x:=0 



Those are replace with a slightly different sequence of states: 

A B B B C 

-0 x ~' . [g x=1 . Q z v 

J ^— ' z:=0 ^— J x:=0 ^ 



=0 



Again, one is easily convinced that both sequences are "equivalent", and that this trans- 
formation adapts to states with cost 3. □ 



3.3.3. One-Clock PTA with Two Stopwatch- Cost Variables. In the above constructions, each 
clock can be replaced with an observer variable, i.e., with a "clock cost" that is not involved 
in the guards of the automaton anymore. We briefly explain this transformation on an 
example, and leave the details to the keen reader. 




Figure 10: Replacing a clock with an extra "clock cost" 



Figure [TU] displays the transformation to be applied to the automaton. It then suffices 
to enforce that no time elapses in states xq, x<i and x=x, and that the following formula 
holds: 

{x A -.x Ux^ n )=^(-.x U( C:c ^ n )X^ n ) 

~ne{<l,=l} 

This precisely encodes the role of clock x in the original automaton with a clock cost, which 
is in particular a stopwatch cost. Note that this transformation is not correct in general, but 
it is here because our reduction never involves two consecutive transitions with the same 
guard. Thus, we get immediately the following result: 

Theorem 3.18. Model checking one-clock PTA with two stopwatch- cost variables against 
WMTL properties is undecidable. 



A a 



4. Conclusion 

In this paper, we have studied various model-checking problems for one-clock priced 
timed automata. We have proved that the model-checking of one-clock priced timed au- 
tomata against WCTL properties is PSPACE-complete. This is rather surprising as model- 
checking TCTL over one-clock timed automata has the same complexity, though it allows 
much less features. For proving this result, we have exhibited a sufficient granularity such 
that truth of formulas over regions defined with this granularity is uniform. Based on this 
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result, we developed a space-efficient algorithm which computes satisfaction of subformulas 
on-the-fTy. This result has to be contrasted with the undecidability result of [BBM06] which 
establishes that model-checking priced timed automata with three clocks and more against 
WCTL properties is undecidable. 

We have also depicted the precise decidability border for WMTL model-checking, a 
cost-constrained extension of LTL. We have proved that the restriction to single-clock 
single-stopwatch cost variable leads to decidability, and that any single extension leads to 
undecidability. 

There are several natural research directions: the decidability of WCTL model-checking 
for two-clocks priced timed automata is not known, we just know that these models have an 
infinite bisimulation [BBR04J; another interesting extension is multi-constrained modalities, 
e.g. E<£>U C osti<5,cost 2 >3^? 
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